Configuring a site-to-site IPSec VPN to CDP One
This guide describes how to establish a site-to-site IPSec VPN (Virtual Private Network) connection from your firewall to CDP One. These steps are written for generic firewall configuration, so the concepts apply to all firewalls, but the configuration may vary depending on your exact firewall.
This configuration consists of a single tunnel using static routes. If you have any issues with the settings below, please create a case with Cloudera Support.
IPSec Tunnel Configuration
- Internet Key Exchange (IKE) Configuration
Configure the IKE SA as follows:
- IKE version: IKEv2
- Authentication Method: Pre-Shared Key
- Pre-Shared Key: <xxxx >
- Authentication Algorithm: sha256
- Encryption Algorithm: aes-256-cbc
- Lifetime: 24 hours
- Phase 1 Negotiation Mode: main
- Diffie-Hellman: Group 14
- IPSec Configuration
Configure the IPSec SA as follows:
- Protocol: esp
- Authentication Algorithm: sha256
- Encryption Algorithm: aes-256-cbc or aes-256-gcm
- Lifetime: 8 hours
- Mode: tunnel
- Perfect Forward Secrecy: Diffie-Hellman Group 14
- Tunnel Interface Configuration
Outside IP Addresses:
- Cloudera VPN Gateway: <x.x.x.x>
- Customer Gateway: (customer provided)
- Routing Configuration
Static routes will be used within the tunnel to send traffic between CDP One and your firewall.
Create a Security Policy Rule Set
- Outbound Rule – This will allow customer enterprise access to CDP One.
- Create a new policy, and for the following services:
- Knox: Proxy gateway for access to cluster services (TCP 443)
- SSH: (TCP 22)
- Add a second outbound Policy for ping (testing only).
- Create a new policy, and for the following services:
- Inbound Rule (optional) – This will allow CDP One to access specific enterprise resources.
- Create a new Security Policy and add services to allow CDP One to access specific enterprise data endpoints for providing data into the service, or for the service to push data into.
